(929) 590-5818 [email protected]
en
en

Security Testing of the DonorUA Medical Platform

Client:
DonorUA – a nationwide initiative and IT platform for the development of blood donation.
Industry:
Healthcare & Medicine
Focus:
Security testing of web applications, protection of personal and medical data
Main challenge:
Identifying vulnerabilities in web services that process personal and medical information
Market:
Ukraine
Services provided:
Web application pentest (Black-box)
Key Takeaways
  • Provided a security recommendations report.
  • No critical security threats were confirmed.
  • A black-box pentest of two web applications was performed.
  • 13 vulnerabilities were identified: 2 medium, 9 low, and 2 informational.
  • A combination of automated and manual testing was applied.
    • 13
    vulnerabilities found
    2
    web applications tested
    2 weeks
    project duration
    Security Testing of the DonorUA Medical Platform
    Nov 18, 2025
    15 min
    Developing software according to security best practices is not yet a guarantee of full protection. DonorUA approached Datami to test their web applications. The automated pentest revealed a number of vulnerabilities, including a brute-force attack on the login page and vulnerable libraries. Datami additionally performed targeted manual testing of the vulnerable functionality.

    DonorUA is a nationwide initiative in the field of blood donation. The organization uses its own IT platform to search for donors, support hospitals, and assist patients.

    The client’s services process personal and medical data; therefore, cybersecurity is critical for DonorUA – any vulnerability may affect the stability of web resources and user trust.

    Tasks and challenges
    Despite following security best practices during development, DonorUA wanted to verify its web applications for potential vulnerabilities to ensure robust protection of users’ sensitive data.

    The organization turned to Datami and requested automated penetration testing of two platforms.
     
    • Conduct an automated pentest of the public website and the DonorUA user portal
    • Check the security of the web resources for vulnerabilities to enable timely remediation
    • Provide a detailed technical report describing identified threats and recommendations for mitigation
    icon
    Penetration testing
    Black-box testing of two DonorUA web applications using specialized security tools.
    icon
    Vulnerability assessment
    Analysis of functionality that may contain vulnerabilities and be exposed to potential cyberattacks.
    icon
    Report and recommendations
    Preparation of a detailed security report with findings and actionable improvement recommendations.
    Datami methodology for web application testing

    Our approach

    For the DonorUA project, the Datami team applied a Black-box strategy and automated web application pentesting methods. We used several key tools, including Burp Suite, OWASP ZAP, Nessus, Nuclei, and Wapiti.

    After scanning the websites, we additionally performed manual testing of potentially vulnerable functionality. This allowed us to fully cover the attack surface and thoroughly investigate areas most susceptible to exploitation.

    Black-box

    Black-box

    Pentesting strategy without access to internal code – as close as possible to the actions of a real attacker
    Project stages

    First, Datami aligned with the client on critical security testing parameters, including scope, depth, permissions, and timelines. 

    Next, an automated pentest of the web applications was conducted.  With the remaining time, specialists additionally performed manual analysis of the most vulnerable areas, followed by detailed reporting.

    • Preparation
      Agreement on project details and key parameters. Selection of security testing strategy, methods, and tools.
    • Testing
      Automated Black-box pentest of the websites and manual verification of the most high-risk areas.
    • Analysis and reporting
      Creation of the final report describing detected vulnerabilities and providing recommendations for remediation.
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations

    Results and recommendations

    Based on the testing of the public website and personal account of DonorUA, the Datami team identified 13 non-critical vulnerabilities:

    • 2 medium,
    • 9 low,
    • 2 informational.

    Among the detected issues were those related to technical aspects (for example, brute-force on the login page). The use of outdated JavaScript libraries and weak control of file uploads was also recorded.

    Based on the analysis, a technical report was prepared and recommendations for improving security were provided, in particular:

    • implement rate limits to prevent automated attacks;
    • regularly update the used libraries to the current versions;
    • optimize file-handling mechanisms: limit the types allowed for upload.

    Thus, DonorUA received a vision of the weak points of the web applications and an action plan for their elimination.

    CONFIRMED EXPERTISE OF DATAMI

    Our certificates

    Datami is a cybersecurity firm whose qualifications are confirmed by 26 certifications and international standards. This allows us to perform tasks of varying complexity while complying with security, confidentiality, and ethical practice requirements.
    Project summary

    The project was completed within two weeks as planned. At the same time, a deeper assessment was performed than originally anticipated. Datami confirmed the absence of critical risks and a stable security level of DonorUA web applications.

    However, this case study demonstrated that even when security practices are followed during development, services may still contain vulnerabilities, and regular security audits for medical platforms remain extremely important.

    Level of risks
    Unknown
    13 non-critical vulnerabilities identified
    Critical vulnerabilities
    Unknown
    Not detected
    Timeline
    Planned – 2 weeks
    Completed on time, with additional manual analysis
    More success stories with Datami
    Browse other project case studies
    Azure Audit for a Government Business Platform
    Azure Audit for a Government Business Platform
    • ISO/IEC 27001 and GDPR compliance achieved
    • Infrastructure set up for the website update launch
    Services:
    Azure Security Audit (White-box)
    Mar 5, 2026
    AWS Security Audit for a Recruiting Platform
    AWS Security Audit for a Recruiting Platform
    • Threat detection time reduced to 20 minutes.
    • Full compliance with GDPR requirements ensured.
    Services:
    AWS cloud environment security assessment (White-Box)
    Mar 3, 2026
    Mobile App Security Outstaff Audit
    Mobile App Security Outstaff Audit
    • Identified dangerous configurations and data leaks
    • Strengthened security before product launch
    Services:
    Nov 20, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Types of Cybersecurity Vulnerabilities: The Most Common and Critical from Datami’s Practice Oleksandr Filipov
    Oleksandr Filipov
    Types of Cybersecurity Vulnerabilities: The Most Common and Critical from Datami’s Practice

    In this article, we outline the main types of vulnerabilities. Based on the results of our projects, we have also compiled top lists of the most common and the most critical ones.

    Mar 7, 2026 15 min
    Davos Innovation Week 2026: Crypto and Security Without Compromise Cybersecurity News from Datami
    Cybersecurity News from Datami
    Davos Innovation Week 2026: Crypto and Security Without Compromise

    The Datami team took part in Davos Innovation Week 2026, which took place on January 19–23, and presented its expertise. Datami CGO Oleksii Lavrenchuk delivered a talk on the transformation of cyber risks.

    Mar 4, 2026 15 min
    What is an Advanced Persistent Threat (APT)? Oleksandr Filipov
    Oleksandr Filipov
    What is an Advanced Persistent Threat (APT)?

    Advanced Persistent Threats (APTs) are sophisticated cyberattacks in which an attacker remains unnoticed in the network for an extended period of time. What should you do to avoid becoming a victim of an APT attack?

    Dec 2, 2025 15 min
    Show all articles
    Order a consultation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy